1CO. 


Information Commissioner’s Office 


The role of data ethics in complying with the GDPR 


Privacy statement 

For this survey, we will publish all responses received from organisations but we will 
remove any personal data before publication. We will not publish responses received from 
respondents who have indicated that they are an individual acting in a private capacity (eg 
a member of the public). For more information about what we do with personal data see our 
privacy notice. 


Existing practice 


Qi 


Q2 


Q3 


Does your organisation currently use an existing, publicly-available ethical framework 
in its decision-making processes? 


7 Yes 
21 No 


If yes, please provide a link to that framework below, then please go to Q6. 


7 


If no, does your organisation plan to adopt any such publicly-available ethical 
framework? 


2 Yes 
9 No please go to Q5. 
11 Unsure /don't know please go to Q5. 


Q4 If yes, when do you anticipate this adoption taking place within? then please go to 


Q6. 

0 3 months 
1 6 months 
1 12 months 


O >12 months 


Q5 Alternatively, is your organisation either developing or planning to develop its own 
bespoke ethical framework? 
13 Yes 
6 No please go to Q11 
3 Unsure/don't know please go to Q11 


Q6 Why did you choose that particular framework? [Tick all that apply] 


5 Comprehensive 

9 Clear 

10 Best fit for purpose 
3 Bestin class 

7 Other 

3 Unsure/don't know 


Q7 What were (or what do you perceive will be) the three largest obstacles to building 
the framework into your organisation's decision-making processes effectively? [Tick 
all that apply] 

10 Unclear how to integrate ethical principles into processes 
9 Organisational cultural resistance/inertia 

Benefit proposition not clearly articulated or communicated 

No responsible person nominated 

Other 

Unsure/don't know 


WwW NOA 


Q8 Are (or will) the framework's considerations be integrated into your data protection 
impact assessment or legitimate interest assessment, or are they undertaken as part 
of a separate process? 


10 Integrated 
4 Separate 
6 Unsure/don't know 


Organisation 


Q9 


Q10 


Q11 


Q12 


Q13 


Q14 


Q15 


Does your organisation have someone formally responsible for ‘data ethics’? 


13 Yes 
8 No 
1 Unsure/don't know 


If yes, what is this person's title, how senior are they and where within your 
organisation does their role sit? then please go to Q13. 


Please use less than 1000 characters count 


15 


If no/unsure/don't know, are ethical considerations nevertheless raised informally by 
colleagues not expressly responsible for data ethics? 


17 Yes 
1 No please go to Q15 
2 Unsure/don't know please go to Q15 


If yes, are these ad-hoc issues raised appropriately and dealt with in a constructive 
manner? 


15 Yes 
1 No 
3 Unsure/don't know please go to Q21 


Does your organisation have a Data Ethics Board? 


5 Yes 
20 No 


1 Unsure/don't know please go to Q21 


If yes, describe briefly who sits on it, what their disciplines are, how frequently it 
meets, how senior its members are and whether they are internal/external to your 
organisation, then please go to Q17. 

Please use less than 1000 characters count 


7 


If no, is your organisation considering establishing a Board? 


3 Yes 
7 No please go to Q21 
9 Unsure/don't know please go to Q21 


Q16 


Q17 


Q18 


Q19 


Q20 


Q21 


Q22 


If yes, when do you anticipate this taking place within? 


1 3 months 

1 6 months 

1 12 months 
1 >12 months 


Does or will your organisation's Data Ethics Board have decision-making power or is 
it, or will it be, only consultative? 


5 Decision-making 
2 Consultative 

O Neither 

5 Unsure/don't know please go to Q21 


If you answered: Decision-making 


Has the Board declined business proposals or asked them to be re-formulated? 


4 Yes 
1 No 
0 Unsure/don't know 


If you answered: Consultative 


How is its impact measured? Please use less than 1000 characters count 


3 


If you answered: Neither 


Please explain. Please use less than 1000 characters count 


0 


Does your organisation have a data protection officer (DPO)? 
24 Yes 

3 No 

0 Unsure/don't know please go to Q25 


If yes, is it mandatory for your organisation or have you appointed someone 
voluntarily? 

20 Mandatory 

4 Voluntary 

2  Unsure/don't know 


Q23 If no, are you considering appointing a DPO voluntarily? 


1 Yes 
2 No please go to Q25 
O Unsure/don't know please go to Q25 


Q24 If yes, when do you anticipate this taking place? 


0 3 months 

0 6 months 

1 12 months 
0 >12 months 


Ethical Decision Making 


Q25 Does your organisation always take the same factors into account when assessing 
Art.5(1)(a) ‘fairness’? 


9 Yes 
14 No 


4 Unsure/don't know please go to Q30 


Q26 If yes, what are those factors? 


Please explain. Please use less than 1000 characters count 


9 


Q27 If no, is this because there is no formalised structure around how to consider 
‘fairness’, or because context is taken into account? 


7 No formal structure 
8 Context specific 


Q28 If no formal structure, list the considerations most frequently discussed when 
assessing ‘fairness’ 


Please use less than 1000 characters count 


6 


Q29 


Q30 


Q31 


Q32 


Q33 


If context-specific, what is the process for choosing the correct ‘fairness’ criteria for 
any given set of circumstances? 


Please use less than 1000 characters count 


7 


How do you record the factors taken into account when assessing whether a data 
controller's legitimate interest is overridden by data subjects’ interests or 
fundamental rights and freedoms when relying on Art.6(1)(f)? 


Please use less than 1000 characters count 


21 


Do you think ethical considerations should be taken into account when relying on 
Art.6(1)(f) to justify your processing as a data controller? 


23 Yes 
2 No 
2 Unsure/don't know please go to Q34 


If yes, what are the three most important ethical factors to your organisation? 


Please use less than 1000 characters count 


20 


If no, why not? 


Please use less than 1000 characters count 


2 


Compliance programmes 


Q34 


If your organisation has adopted explicitly ethical considerations, are these built into 
your training materials? 
13 Yes 
5 No 
Unsure/don't know please go to Q38 
7 No such adoption please go to Q38 


Q35 If yes, are these training materials the same as, or delivered alongside, data 
protection training content? 


11 Yes 
2 No 


Q36 If no, are you planning to create such training materials 


6 Yes 
2 No 


Q37 If yes, when do you anticipate this taking place within? 


3 months 

6 months 
12 months 
>12 months 


N NNO 


Q38 When selecting a third-party processor, do you assess whether they have an ethics 
based programme? 


3 Yes 
17 No please go to Q40 
8 Unsure/don't know please go to Q40 


Q39 If yes, do you have examples of the existence or robustness of any such programme 
putting the potential service provider in a preferred position? 


2 Yes 
1 No 
0 Unsure/don't know 


About you 


This section is optional - telling us who you are will help us to understand your needs more 
clearly as we design our guidance products, but you may answer the survey anonymously 
should you wish. 


Q40 Your name: 


13 


Q41 Work email address: 
12 


Q42 Who are you answering as? Please select as appropriate: 


--Click Here-- ad 
As a member of the public 4 
On behalf of an organisation (please specify) 18 
On behalf of a sector or group (please specify) 0 


If you are a member of the public please move to the end of the survey. 


Q43 If you answered, On behalf of an organisation or Sector group, please specify below: 


15 


Q44 What is your role in your organisation? 


--Click Here-- ~ 
Data Protection Officer 8 
Information Security Officer 0 
Data Protection Adviser 4 
Ethics Adviser 2 
Legal Adviser 0 
Other (please specify) 7 


Q45 If other, please specify below: 
8 


Q46 What sector do you work in? 


--Click Here-- ad 
Public 5 
Private 16 
Third/Charity/Voluntary 1 
Combination of the above (please specify) 1 


Q47 If you answered, a combination of the above then please specify below: 


Please use less than 1000 characters count 


3 


Thank you for completing the survey. 


To submit your responses please click below 


